CVE-2018-12545: High severity ibm cognos analytics vulnerability

Published Mar 27, 2019
·
Updated

Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.

Other sources

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Affected Software

87 affected componentsFixes available
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP3
Mortbay Jetty=9.3.0-20150601
Mortbay Jetty=9.3.0-20150608
Mortbay Jetty=9.3.0-20150612
Mortbay Jetty=9.3.0-maintenance0
Mortbay Jetty=9.3.0-maintenance1
Mortbay Jetty=9.3.0-maintenance2
Mortbay Jetty=9.3.0-rc0
Mortbay Jetty=9.3.0-rc1
Mortbay Jetty=9.3.1-20150714
Mortbay Jetty=9.3.2-20150730
Mortbay Jetty=9.3.3-20150825
Mortbay Jetty=9.3.3-20150827
Mortbay Jetty=9.3.4-20151005
Mortbay Jetty=9.3.4-20151007
Mortbay Jetty=9.3.4-rc0
Mortbay Jetty=9.3.4-rc1
Mortbay Jetty=9.3.5-20151012
Mortbay Jetty=9.3.6-20151106
Mortbay Jetty=9.3.7-20160115
Mortbay Jetty=9.3.7-rc0
Mortbay Jetty=9.3.7-rc1
Mortbay Jetty=9.3.8-20160311
Mortbay Jetty=9.3.8-20160314
Mortbay Jetty=9.3.8-rc0
Mortbay Jetty=9.3.9-20160517
Mortbay Jetty=9.3.9-maintenance_0
Mortbay Jetty=9.3.9-maintenance_1
Mortbay Jetty=9.3.10-20160621
Mortbay Jetty=9.3.10-maintenance_0
Mortbay Jetty=9.3.11-20160721
Mortbay Jetty=9.3.11-maintenance_0
Mortbay Jetty=9.3.12-20160915
Mortbay Jetty=9.3.13-20161014
Mortbay Jetty=9.3.13-maintenance_0
Mortbay Jetty=9.3.14-20161028
Mortbay Jetty=9.3.15-20161220
Mortbay Jetty=9.3.16-20170119
Mortbay Jetty=9.3.16-20170120
Mortbay Jetty=9.3.17-20170317
Mortbay Jetty=9.3.17-rc0
Mortbay Jetty=9.3.18-20170406
Mortbay Jetty=9.3.19-20170502
Mortbay Jetty=9.3.20-20170531
Mortbay Jetty=9.3.21-20170918
Mortbay Jetty=9.3.21-maintenance_0
Mortbay Jetty=9.3.21-rc0
Mortbay Jetty=9.3.22-20171030
Mortbay Jetty=9.3.23-20180228
Mortbay Jetty=9.3.24-20180605
Mortbay Jetty=9.4.0-20161207
Mortbay Jetty=9.4.0-20161208
Mortbay Jetty=9.4.0-20180619
Mortbay Jetty=9.4.0-maintenance_0
Mortbay Jetty=9.4.0-maintenance_1
Mortbay Jetty=9.4.0-rc0
Mortbay Jetty=9.4.0-rc1
Mortbay Jetty=9.4.0-rc2
Mortbay Jetty=9.4.0-rc3
Mortbay Jetty=9.4.1-20170120
Mortbay Jetty=9.4.1-20180619
Mortbay Jetty=9.4.2-20170220
Mortbay Jetty=9.4.2-20180619
Mortbay Jetty=9.4.3-20170317
Mortbay Jetty=9.4.3-20180619
Mortbay Jetty=9.4.4-20170410
Mortbay Jetty=9.4.4-20170414
Mortbay Jetty=9.4.4-20180619
Mortbay Jetty=9.4.5-20170502
Mortbay Jetty=9.4.5-20180619
Mortbay Jetty=9.4.6-20170531
Mortbay Jetty=9.4.6-20180619
Mortbay Jetty=9.4.7-20170914
Mortbay Jetty=9.4.7-20180619
Mortbay Jetty=9.4.7-rc0
Mortbay Jetty=9.4.8-20171121
Mortbay Jetty=9.4.8-20180619
Mortbay Jetty=9.4.9-20180320
Mortbay Jetty=9.4.10-20180503
Mortbay Jetty=9.4.10-rc0
Mortbay Jetty=9.4.10-rc1
Mortbay Jetty=9.4.11-20180605
Mortbay Jetty=9.4.12-rc0
Mortbay Jetty=9.4.12-rc1
Mortbay Jetty=9.4.12-rc2
fedoraproject fedora=28

Remediation

Patch Available

https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Event History

Mar 27, 2019
CVE Published
via MITRE·07:21 PM
Data Sourced
via MITRE·07:21 PM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2018-12545?

The severity of CVE-2018-12545 is considered high due to its potential to cause denial of service.

2

How do I fix CVE-2018-12545?

To fix CVE-2018-12545, upgrade to a version of Eclipse Jetty that includes the patch for this vulnerability.

3

What versions of Eclipse Jetty are affected by CVE-2018-12545?

CVE-2018-12545 affects multiple versions of Eclipse Jetty, including specific releases from 9.3.0 to 9.4.x.

4

What kind of attacks can exploit CVE-2018-12545?

CVE-2018-12545 can be exploited by sending large or numerous SETTINGs frames, leading to excessive CPU and memory usage.

5

Is there a workaround for CVE-2018-12545?

There are no confirmed workarounds for CVE-2018-12545; applying the patch is the recommended solution.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203